1. GURUJODHA KHALSA, DEPUTY COUNTY COUNSEL, CHC ROBIN BOWE, BSN, RN, C, CHC COMPLIANCE COORDINATOR PRIVACY OFFICER RISK MANAGER Rev. 10/10 2010 Annual Review HIPAA Privacy, Security and Compliance

2. 2010 Regulatory Changes Changes in the legal and regulatory environment Changes in the delivery and payment of healthcare costs. Changes in the privacy and security of Protected Health Information (PHI)

3. HIPAA Privacy Rule Changes for 2010 Health Information Technology for Clinical Health Act (HITECH) Signed into law as part of the American Recovery and Reinvestment Act of 2009 Major changes include :  Applies the HIPAA Privacy and Security Standards to Business Associates  Establishes Federal reporting requirements for privacy breaches

4. HIPAA Privacy Rule Change for 2010  Established new criminal and civil penalties for non-compliance and new enforcement responsibilities  New Patient Privacy Rights to include:  KMC must agree to a patient’s request for restriction of their health record for purpose of payment or healthcare operations  Patients may request a copy of their medical record electronically once an Electronic Medical record is in place  New restrictions on the use/disclosure of PHI for marketing and fundraising

5. Unauthorized Verbal Disclosure and HIPAA Use good judgment - limit the conversation of any private or confidential info to people who require the information in the normal performance of their job duties. Discussion of confidential information is not permitted in a public area(f or example the cafeteria or the elevator). Be aware of your environment BEFORE you speak. (think – who might be able to hear me?)

6. Unauthorized Written or Electronic Disclosure and HIPAA Keep all documents secure (clipboard, locker or cubicle) KMC Staff/Medical Students or other persons assigned to KMC  not allowed to take PHI off Kern Medical Center campus Shred all PHI that is not used at the end of the day  gray shred bins Double check your documents (immunization records or other paperwork) have correct patient name labeled and are given to the correct patient Use a fax cover sheet for all faxes Double check the fax number before pressing send on a fax (PHI)-Patient Health Information

7. HIPAA Security KMC is required to establish policies and procedures assuring compliance with the HIPAA Security Standards Overall objective - maintain the privacy and confidentiality of information Requires initial and ongoing training

8. HIPAA Technical Safeguards Designed policies, procedures, and processes to protect, control and monitor information Designed to control access and assure appropriate consent and audit control Designed to prevent unauthorized access

9. HIPPA Administrative Safeguards KMC is required to have:  A Privacy Officer  Contracts with Business Associates  Policies and procedures in place

10. HIPAA Physical Safeguards All KMC staff that maintain PHI are required to: Secure PHI in locked file cabinets Assure at all times:  doors are locked where PHI is maintained  computer screens cannot be seen by the public  Fax machines are secure

11. Unauthorized Access to Information Systems Access that is not allowed to computerized academic or administrative records or systems: viewing or altering computer records, modifying computer programs or systems, releasing or dispensing information gained via unauthorized access, or interfering with the use or availability of computer systems or information. (45 CFR 164.312(a)(1) Access Controls)

12. Computer Access Access is granted by the Department Chairman, Manager or Supervisor for:  KMC paper and electronic record (need to know basis)  By job description or job responsibilities. Employees are mandated to keep passwords secure and to log off computer systems.

13. Deficit Reduction Act What Federal Programs are affected? Medicare Medi-Cal Any other federally funded contract or program Examples at KMC  CDPH at Sagebrush  CPS at OB/GYN Clinic CDPH-California Dept. of Public Health CPS-Child Protective Services

14. Compliance Remember….. Understand, follow and implement applicable KMC policies and procedures on behalf of the patient and their family.

15. Compliance False Claims An individual who files a false claim for the payment of health care services and  Has actual knowledge that information on a claim is false or  Deliberately Acts ignorant of the truth or falsity of the information; or  Acts in a reckless disregard of the truth or falsity of the information.

16. False Claims Act Penalizes the knowing submission of false or fraudulent claims to the Unites States Government. For each false claim submitted violators are subject to:  civil penalties and  criminal prosecution

17. Qui Tam Suits A lawsuit filed by a private party against one or more people or an organization claiming fraudulent practices against the U.S. Government  Informing the government does not allow the individual to claim a financial award Also called “whistleblower” suit  Any whistleblower is protected: …any employee who is discharged, harassed, or otherwise discriminated against because of lawful acts by the employee…under the Act is entitled to any relief necessary to make the employee whole”

18. KMC REPORTING HOTLINE Patient safety issues (non-emergent) HIPAA privacy & security Issues Quality of Care Issues 326-2665 Compliance Issues Anonymous calls are OK! Emergency safety issues – dial 5#

19. Other Ways to Report You may contact any of the following people or organizations directly at any time: Compliance Coordinator – Robin Bowe RN: 326-2048 (phone), 307-2537 (pager)or e-mail: bower@kernmedctr.combower@kernmedctr.com Kern County Compliance Hotline: 800-620-6047 California Department of Public Health (CDPH): 661-336-0543 Federal – CMS Hotline: 800-447-8477 The Joint Commission: www.complaint@jointcommission.orgwww.complaint@jointcommission.org or 630-792-5636 (fax)

20. Your Responsibility All employees must maintaining the privacy and security of all documents (paper or electronic format) This requirement pertains to all areas of the hospital and off-site areas (clinics, Home Health, Sagebrush) Do not leave PHI in your car or take it home Know the code of the patient to prevent inadvertent disclosures (Opted Out Patients and Publicity Codes) Faxing: Fax to an authorized number and use a fax cover sheet. Confirm the number before sending the fax.

21. What You Need to Do Obtain an authorization from the patient for release of information Obtain permission (verbal/written) from the patient to discuss their care in front of family or friends.  Document this discussion in the medical record Do not place PHI on any portable devices including but not limited to:  thumb drives, cell phones, PDA’s Do not share your password’s Log off the computer you are using

22. Consequences of Non-Compliance Fines and penalties levied against KMC Civil penalties for the Hospital and the employees involved Criminal sanctions including fines and jail time Disciplinary action up to an including termination Negative image in the community may be a reflection of any breach

23. What is HIPAA? Be careful with what others can see  PHI - (paper or electronic) Be careful of what others can over hear you saying Be careful not to talk about patients in public areas (nursing station, cafeteria, elevator etc.)

24. Any Questions

25. Post Test

26. All Questions are T or F Please mark answers on your scan-tron 1.Kern Medical Center’s Compliance Coordinator and Privacy Officer is Robin Bowe? 2.There are new Privacy Rules for the wrong use and disclosure (sharing) of PHI that are effective January 2009?

27. T or F? 1.Kern Medical Center’s Compliance Coordinator and Privacy Officer is Robin Bowe. 2.There are new Privacy Rules for the inappropriate (wrong) use (working with) and disclosure (sharing) of PHI that are effective January 2009.

28. T or F? 3.Kern Medical Center will be held liable for any inappropriate release of PHI? 4.Kern Medical Center must notify the patient and the California Department of Public Health of an incident?

29. T or F? 5.You should double check the fax number before you send a fax? 6.Access into a patient file should be related to those patients that you are taking care of or have been consulted to see?

30. T or F? 7.You are not allowed to access the patient file (paper or electronic) of family and friends? 8.KMC staff are expected to Abide by the KMC Code of Conduct and Confidentiality Statement at all times?

31. T or F? 9.KMC discourages unethical behavior including fraud and abuse? 10.Both KMC and the County of Kern have a hotline to report fraud and abuse?

32. Reference Slides

33. HIPAA? HIPAA = The Health Insurance Portability and Accountability Act … A Federal Law Created in 1996 H H = I I = P P = A A = Health Insurance Portability * and Accountability + Act It is considered the MOST significant healthcare legislation since Medicare in 1965!!! * Insurance Reform/Coverage + Administrative Simplification

34. Protected Health Information (PHI) Anything written, oral or electronic that can identify the patient Examples: 1. Name 2. Medical Record Number 3. Social Security Number 4. Birth date

35. Faxing PHI Only provide info the receiver needs Must use fax cover sheet when faxing PHI Verify number and recipient’s authority to have info before sending Fax machines are located only in secure, attended places Don’t leave incoming faxes unattended – pick them up right away! Think – is this information secure?

36. Confidentiality ADM-IM-314 Outlines Kern Medical Center’s philosophy regarding privacy and confidentiality Outlines the following: a. Internet b. E mail c. Faxing d. Messages on answering machines e. Sanctions: Outlines sanctions that will be applied to employees who fail to comply with the privacy policy and procedures or the requirements of HIPAA

37. Confidentiality Should only access files for which you have the “need to know” When accessing information it should be for the “minimum necessary” to carry out job responsibilities Access Code Process assist inpatient areas, Same Day Surgery and Diagnostic Treatment Center in releasing information

38. Inmates High Security: a. Restricted Visiting b. Restricted Calls c. Restricted Mail d. Guard (s) at the bedside Low Security a. Unrestricted: Able to have visitors, mail, phone calls b. No guard at the bedside

39. HIPAA Security

40. Privacy is a right, confidentiality is a condition And security is a safeguard. If the SECURITY fails, a breach of CONFIDENTIALITY occurs, and the PRIVACY of the individual is invaded

41. IS Security Password: Keep Protected Log Off IS systems Audit trail Capability “Need to Know”

42. False Claims Act Federal Legislation ( USC Title 31§ 3729-37330 Dates back to the Civil War (“Lincoln Law”) Allows private persons to sue those who defraud the government (qui tam)

43. California Fraud Laws California False Claims Act  Government Code 12650-12656  Mimics federal law  Holds individuals responsible if they knowingly benefit from a fraudulent claim

44. California Fraud Laws Welfare & Institutions Code  §14014, §14107 Penal Code  §487, §550 Business and Professions Code  §17200, §17500 Government Code  §12650

45. California Fraud Laws Covers a wide variety of actions:  Encouraging another to receive healthcare for which they are not eligible  Knowingly filing a claim for greater compensation than is eligible  Offering to pay bribes or kickbacks  Purchasing, ordering or leasing services that are unnecessary or unlawful

46. What Constitutes False Claims? Knowingly using (or causing to be used) a false statement or record to conceal, avoid, or decrease an obligation to pay money or transmit property to the Federal Government Conspiring with others to get a false or fraudulent claim paid by the Federal Government

47. Examples of Fraud Billing for services never rendered Billing for more expensive services than were rendered Performing medically unnecessary services solely to acquire insurance payment Misrepresenting non-covered services as medically necessary, covered services

48. Qui Tam Suits Awards may be from 10% – 30% of the total recovery from the defendant Conditions  The extent to which the person contributed to the prosecution of the action (how much information was provided)  If the government participates in the lawsuit

49. Your Responsibility Be aware of hospital policies and procedures dealing with Fraud and Abuse Understand how your department addresses prevention of false claims Report your concerns

50. Notice of Privacy Practices ADM-RI-625 Outlines how Kern Medical Center may Use and Disclose Protected Health Information (PHI) Informs the patient of their rights under HIPAA for Use and Disclosure of PHI Patient signs an Acknowledgment Form for Receipt of Notice of Privacy Practices

51. Notice of Privacy Practices (cont’d) Only needs to be signed once unless we change the Notice Forensic/Correctional/Custodial patients do not have the right to the Notice of Privacy Practices Process in place for Admitting to get it signed in the event the patient is unable to do so Quality management tool to monitor compliance Posted on the Internet in English and Spanish at www.kernmedicalcenter.com

52. Communications by Alternative Means ADM-RI-626 Patient’s right to request Kern Medical Center to send communications of PHI by alternative means or locations Example: 1)Mail delivered to a different address 2)Phone messages delivered to a friend’s house

53. Communications by Alternative Means ADM-RI-626 Patient’s right to request Kern Medical Center to send communications of PHI by alternative means or locations Example: 1)Mail delivered to a different address 2)Phone messages delivered to a friend’s house

54. Verbal Communication Good judgment is utilized to limit the discussion of any private or confidential info with appropriate individuals who require the information in the normal performance of their job duties. Discussion of confidential information is not permissible in any public area.

55. Permitted Uses and Disclosures ADM-IM-340 Outlines those disclosures that may be made with and without the authorizations of the patient Examples a. Tumor Registry b. Law Enforcement c. Organ Donation

56. Designation of Privacy Officer ADM-LD-615 Do you know you Kern Medical Center’s Privacy Officer is? Answer: Robin Bowe BSN,RNC Phone:326-2048 Pager:307-2537 Office:2361 Responsible for handling complaints and concerns regarding privacy and confidentiality

57. Use and Disclosure of PHI Requiring Patient Authorization ADM-IM-320 Outlines the steps in having the patient fill out their authorization form in order for KMC to disclose their PHI per their request Available in English and Spanish on the Intranet under Physician Orders and Forms

58. General Uses and Disclosures of PHI ADM-IM-325 Outlines the general rules and regulations for Use and Disclosure of PHI a. Who can we release information to? b. When do you not need a consent? Example: Is it for Treatment, Payment, Health Care Operations (TPO) c. Know the definitions located in all policies

59. Minimum Necessary Use and Disclosure of PHI ADM-IM-345 Outlines Kern Medical Center’s responsibility to disclose the minimum amount of PHI to carry out the intended purposes or intent of the disclosure Example: Disclosure related to this visit or hospitalization and not something that happened 10 years ago

60. Internet Policy ADM-IM-316 Do you use the Internet? This policy outlines the guidelines for Internet use at KMC Certain Internet sites are automatically block by Information Systems

61. E Mail ADM-IM-110 Do you use e mail? Outlines the employee responsibility in email usage at KMC Should be used for business use only and not for personal use

62. Faxes Use Discretion – limit the information transmitted by fax to what is minimally necessary to meet the requester’s needs. Must use fax cover sheet when transmitting protected health info. Verify number and the recipient’s authority before sending PHI Fax machines are not to be located in open/unattended areas. Do not leave incoming faxes unattended.

63. Maintenance of Computer Access to the Hospital Information Systems ADM-IM-105 Outlines how employees obtain access to the Hospital Information Systems Outlines employee responsibility for Information Systems Requires all Employees to sign a Confidentiality Agreement

64. Media Policy ADM-RI-203 Outlines Kern Medical Center’s responsibility for Use and Disclosure of PHI to the News Media Employee Responsibility Refer all phone calls to Public Relations Monday-Friday during normal business hours and to the House Supervisor after hours and weekends

65. Abuse: Identification of Victims and Reporting Requirements ADM-RI-601 Kern Medical may disclose Protected Health Information (PHI) without authorization to a government authority when the organization reasonably believes the individual to be a victim of abuse, neglect, or domestic violence. This is permitted to the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law

66. Mitigation ADM-LD-613 Definition: To decrease the harmful effects Example: When reviewing how PHI is used at KMC or once a breech or violation occurs, KMC will take steps to ensure that the breech will not happen again. This is usually done by the development of an Action Plan with all parties involved

67. Sanctions Unauthorized access or disclosure of PHI or violations relating to PHI may result in disciplinary action up to and including termination of employment

68. Workforce Training ADM-LD-617 Outlines how education regarding policies and procedures occur at KMC Reviews what may generate educational needs Example: a. Changes in the Law b. Change is Standard

69. Record Retention ADM-IM-320 Requires KMC to keep records related to all HIPAA and Compliance related decisions for a period of 6 years or for the length of time required to keep the medical record

70. What is the Result of Non Compliance? The actions address claims for service by healthcare organizations that were either not provided or that clearly misrepresented the treatment actually given to a patient By contrast now, the government is aggressively going after cases and allegations of “medically unnecessary or substandard care”

71. Educational Process Education will be on the Intranet Complete the Power Point Presentation Complete Post Test Mark your answers on a Scan Tron Sign a Blue Educational Sheet with your DCPOS number Turn all documents into your Manager

72. HIPAA News Web Page on the Intranet Educational requirements for HIPAA will be placed here Links and other related websites can be accessed here Articles about HIPAA can be viewed here Criminal convictions related to HIPAA will be posted here